Skip to content

Update EIP-3026: Update addresses table #7642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eth-bot merged 6 commits into from
Sep 6, 2023
Merged

Update EIP-3026: Update addresses table #7642

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bd0a6a8
Update addresses table
hujw77 Sep 5, 2023
1957a34
Fix CI error
hujw77 Sep 6, 2023
36ac994
Fix CI error
hujw77 Sep 6, 2023
2accb16
Fix CI error
hujw77 Sep 6, 2023
b9fe4be
Fix CI error
hujw77 Sep 6, 2023
a868afa
Fix CI error
hujw77 Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 23 additions & 27 deletions EIPS/eip-3026.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,19 @@
---
eip: 3026
title: BW6-761 curve operations
description: Precompiles for BW6-761 curve operations
author: Youssef El Housni (@yelhousni), Michael Connor (@iAmMichaelConnor), Aurore Guillevic <aurore.guillevic@inria.fr>, hujw77 (@hujw77)
discussions-to: https://ethereum-magicians.org/t/eip-3026-bw6-761-curve-operations/4790
status: Draft
type: Standards Track
category: Core
requires: 2539
created: 2020-10-05
requires: 2539
---

## Simple Summary

This precompile adds operations for the BW6-761 curve (from the EY/Inria [research paper](https://eprint.iacr.org/2020/351.pdf)) as a precompile in a set necessary to *efficiently* perform verification of one-layer composed zkSNARKs proofs.

## Abstract

This precompile adds operations for the BW6-761 curve (from the EY/Inria **Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition** research paper) as a precompile in a set necessary to *efficiently* perform verification of one-layer composed zkSNARKs proofs.
If `block.number >= X` we introduce *seven* separate precompiles to perform the following operations (addresses to be determined):

- BW6_G1_ADD - to perform point addition on a curve defined over a prime field
Expand All @@ -30,20 +28,20 @@ The multiexponentiation operations are a generalization of point multiplication,

## Motivation

This EIP is based on and tends to replace [EIP-2541](https://github.com/matter-labs/EIPs/blob/sw6_wrapping/EIPS/eip-2541.md) for significant performance reasons. In most applications, BW6-761 is used as an outer curve to BLS12-377 considered in [EIP-2539](https://github.com/ethereum/EIPs/pull/2539).
This EIP is based on and tends to replace matter-labs' proposol for significant performance reasons. In most applications, BW6-761 is used as an outer curve to BLS12-377 considered in [EIP-2539](./eip-2539.md).
The motivation of this precompile is to allow efficient one-layer composition of SNARK proofs. Currently this is done by Zexe using the BLS12-377/CP6-782 pair of curves. This precompile proposes a replacement of CP6-782 by BW6-761, which allows much faster operations. For example, it was shown that verifying a Groth16 proof with BW6-761 is 30 times faster than with CP6-782.

### Proposed addresses table

|Precompile |Address |
|---|---|
|BW6_G1_ADD | 0x13 |
|BW6_G1_MUL | 0x14 |
|BW6_G1_MULTIEXP | 0x15 |
|BW6_G2_ADD | 0x16 |
|BW6_G2_MUL | 0x17 |
|BW6_G2_MULTIEXP | 0x18 |
|BW6_PAIRING | 0x19 |
| Precompile | Address |
| --------------- | ------- |
| BW6_G1_ADD | 0x1e |
| BW6_G1_MUL | 0x1f |
| BW6_G1_MULTIEXP | 0x20 |
| BW6_G2_ADD | 0x21 |
| BW6_G2_MUL | 0x22 |
| BW6_G2_MULTIEXP | 0x23 |
| BW6_PAIRING | 0x24 |

## Specification

Expand Down Expand Up @@ -228,11 +226,11 @@ Base cost of the pairing operation is `120000*k + 320000` where `k` is a number

## Rationale

Gas costs are based on EIP1962 estimation strategy (but do not fully include yet parsing of ABI, decoding and encoding of the result as a byte array).
Gas costs are based on [EIP-1962](./eip-1962.md) estimation strategy (but do not fully include yet parsing of ABI, decoding and encoding of the result as a byte array).

### Gas estimation strategy

Gas cost is derived by taking the average timing of the same operations over different implementations and assuming a constant `30 MGas/second`. Since the execution time is machine-specific, this constant is determined based on execution times of [ECRECOVER](https://github.com/matter-labs/eip1962/blob/master/run_bn_pairing_estimate.sh) and [BNPAIR](https://github.com/matter-labs/eip1962/blob/master/run_bn_pairing_estimate.sh) precompiles on my machine and their proposed gas price (`43.5 MGas/s` for ECRECOVER and `16.5 MGas/s` for BNPAIR). Following are the proposed methods to time the precompile operations:
Gas cost is derived by taking the average timing of the same operations over different implementations and assuming a constant `30 MGas/second`. Since the execution time is machine-specific, this constant is determined based on execution times of *ECRECOVER* and *BNPAIR* precompiles on my machine and their proposed gas price (`43.5 MGas/s` for ECRECOVER and `16.5 MGas/s` for BNPAIR). Following are the proposed methods to time the precompile operations:

- G1 addition: Average timing of 1000 random samples.
- G1 multiplication: Average timing of 1000 samples of random worst-case of double-and-add algorithm (scalar of max bit length and max hamming weight and random base points in G1)
Expand Down Expand Up @@ -272,30 +270,28 @@ Required properties for pairing operation:
- Degeneracy `e(P, 0*Q) = e(0*P, Q) = 1`
- Bilinearity `e(a*P, b*Q) = e(a*b*P, Q) = e(P, a*b*Q)` (internal test, not visible through ABI)

Test vector for all operations are expanded in this [gist](https://gist.github.com/shamatar/506ab3193a7932fe9302a2f3a31a23e8) until it's final.

## Implementation
## Reference Implementation

There is a various choice of existing implementations:

**Libraries:**

- Rust implementation (EY/Zexe): https://github.com/yelhousni/zexe/tree/youssef/BW6-761-Fq-ABLR-2ML-M
- C++ implementation (EY/libff): https://github.com/EYBlockchain/zk-swap-libff
- Golang implementation (Consensys/gurvy): https://github.com/ConsenSys/gurvy
- Rust implementation (EY/Zexe): github.com/yelhousni/zexe/tree/youssef/BW6-761-Fq-ABLR-2ML-M
- C++ implementation (EY/libff): github.com/EYBlockchain/zk-swap-libff
- Golang implementation (Consensys/gurvy): github.com/ConsenSys/gurvy

**Stand-alone implementation:**

- Golang implementation with Intel assembly (Onur Kilic): https://github.com/kilic/bw6
- Golang implementation with Intel assembly (Onur Kilic): github.com/kilic/bw6

**Precompiles:**

- OpenEthereum (EY/Parity): https://github.com/EYBlockchain/solidity-elliptic-curves
- Frontier (Parity): https://github.com/paritytech/frontier/pull/1049/files
- OpenEthereum (EY/Parity): github.com/EYBlockchain/solidity-elliptic-curves
- Frontier (Parity): github.com/paritytech/frontier/pull/1049/files

**Scripts:**

- SageMath and Magma scripts: https://gitlab.inria.fr/zk-curves/bw6-761/
- SageMath and Magma scripts: gitlab.inria.fr/zk-curves/bw6-761/

## Security Considerations

Expand Down